Update agreements and conversations SURF and Google

Update afspraken en gesprekken SURF en Google

In July 2021, SURF and Google reached an important agreement on the use of Google Workspace for Education by educational institutions. It involves a set of contractual, organizational and technical measures.

Since this agreement, we have been in close contact with Google to ensure that they fulfill our agreements and discuss related issues such as Google ChromeOS and the Chrome browser. In this article we inform you as an advocate about the current state of affairs.

Google promised us at the time that it would complete all the steps to be taken to minimize high privacy risks before the end of 2022. With three months to go, we are hopeful that this will succeed and that schools can continue to use Workspace for Education securely.

International attention

Several European countries and governments are benefiting from the privacy agreements SURF reached with Google. This breakthrough has led to Google's announcement in March 2022 that it will improve privacy protection worldwide.

DTIA: study exchanging data with Google in the U.S

When using Workspace for Education, some European data is exchanged with Google in the United States. One of the requirements of the General Data Protection Regulation (GDPR) is that the use of personal data outside the EU must meet the same level of protection as if the data were used within the EU. SURF is investigating the transfer of data outside the EU through a Data Transfer Impact Assessment (DTIA) for Google Workspace for Education. This assesses which personal data is exchanged with a country outside the European Economic Area (EEA) and whether there are sufficient appropriate safeguards in place. These safeguards include, for example, technical measures such as encryption or the use of Standard Contractual Clauses (SCCs) prescribed by the European Commission. If necessary, additional agreements are made with Google so that the use of Workspace for Education can continue. This DTIA is being conducted in collaboration with education partner SIVON and SLM Rijk (Ministry of Justice and Security). Recently, Microsoft Teams, SharePoint and OneDrive and ZOOM were examined where a similar DTIA was part of the DPIA. The results of the DTIA on Workspace (for Education) are expected to follow in early 2023.

Processing versions of Google ChromeOS and Chrome browser

In early 2022, SIVON joined with SURF to investigate potential privacy issues within ChromeOS and the Chrome browser. Google has since indicated in a public statement that it is developing a processor version. With this important change in direction, organizations such as educational institutions retain full control over the personal data processed within ChromeOS by Google. It is important to note that the processor version of ChromeOS is only available for Chromebooks that are centrally managed through a Workspace account. Thus, the processing version is not applicable to Chromebooks that are not managed through a Workspace account, nor for Chrome browsers installed on Windows or Apple devices.

SURF expects to offer its educational institutions a new processor agreement (“terms of service”) for ChromeOS and Chrome browser during the fourth quarter of 2022. SURF and Google are laying out the changes within ChromeOS in a so-called commitment plan. The development of a processor version for ChromeOS requires Google to make many adjustments to the existing software/code. We expect a (first) version around August 2023. This version is sufficient as a risk-mitigating measure.

Local DPIA by schools

The agreements that SIVON, SURF and SLM Rijk made with Google only apply if educational institutions themselves accept these agreements. Last year, schools received an amended agreement from Google. At the end of this year, schools will also receive a customized agreement (“terms of service”) for ChromeOS and Chrome browser. In addition, it is important that educational institutions themselves conduct an institution-specific ('local') DPIA. In it, institutions assess for themselves whether their use of Workspace for Education (Plus) - and soon ChromeOS and Chrome browser - adequately addresses the protection of personal data in accordance with the GDPR. SURF and SIVON have provided educational institutions with a complete set of documents for Workspace for Education for this purpose. For ChromeOS and Chrome browser, this will be published next year.

Danish data protection agency ruling no impact on Dutch education

In July, the Danish privacy regulator ruled that a Danish municipality may no longer use Google Workspace and Chromebooks. In the ruling, the regulator found that the municipality did not meet the required conditions, so it must stop using Google Workspace and Chromebooks. Google must destroy the users' data. This ruling does not affect Dutch educational institutions.

Violations

In previous years, the Danish regulator found several violations of the GDPR. The municipality was instructed to conduct a risk assessment and bring Google usage in line with the GDPR. As part of a (pre-)DPIA, the Danish municipality did not assess any concrete risks, according to the regulator, but made an assessment that there were no high risks in using Google Workspace. The DPIA carried out is simply not good (enough). The Danish AP further believes that data that can be transferred to third countries (read: the U.S.) must be adequately secured. Google should not have access to the data, or have the keys that give access to encrypted data. Google must be transparent about the purposes of processing personal data. Before purchasing Google Workspace and Chromebooks, the municipality should have done technical research, and negotiated (better) with Google about the (verifiability of the) role of controller. In addition, there is much ambiguity about the additional Google Workspace services.

Netherlands as an example

The ruling does not affect Dutch educational institutions. Indeed, good agreements have been made with Google that limit or eliminate the privacy risks mentioned. In addition, a thorough DPIA has been carried out. In a recent interview, one of the Danish researchers explicitly refers as an example to the Workspace for Education study conducted in the Netherlands, which can be taken as an example. A study is also being conducted on the data transfer of student data with the U.S. (data transfer impact assessment; DTIA). Regarding ChromeOS, agreements have been reached with Google on a “processor version” for managed Chromebooks. The conclusions of the Danish regulator are and will therefore not apply to the Dutch situation.

Google has published a separate article in response to the situation in Denmark with reference to the situation in the Netherlands.

ACM investigation into cloud services

Recently, the Authority Consumer and Market published a market study on cloud services. Users of (business) cloud services find it difficult to switch providers, and cloud services from different providers are not easy to combine. This creates risks for the price, quality and innovation of cloud services. The study does not focus on privacy and security, but it does touch on it because of the market position of these cloud providers.

The ACM's research points to two risks:

  • lock-in of users: switching cloud services is difficult. This is reinforced by behaviors of cloud providers and functionalities of services.
  • Cloud products limit competition because cloud providers direct users only to their own services. Privacy and security, however, are relevant choice parameters that (can) influence competition in the market.

The European Commission has proposed a law, the Data Act. This law will make it easier and safer to share data while maintaining full control over it. The goal of the Data Act is to create a fair digital environment, make data more accessible to all, and enable data-driven innovations. In the study, the ACM suggests embracing this Act and improving (expanding) obligations around interoperability between cloud services. Cloud services should be easier to combine (also called interoperability). Furthermore, the ACM is conducting follow-up research to determine whether and to what extent switching barriers cause competition problems in practice and whether these can already be addressed now.